break-in attempts on my server

[david at thekramers.net (David Kramer)]

So I tried to send mail from my laptop to my server a few minutes ago, and
it said connection refused.  I thought that was pretty rude, so I figured I
would have a talk with Postfix.

But Postfix was dead.  Long live Postfix.

Note that I had just done a SuseWatcher upgrade.  I don't remember what it
upgraded, and don't know how to find out, but based on the timing, I assume
that's what killed Postifx.  You see, I get so much email, it's rare to find
a couple of minutes gap in my /var/log/mail roughly when I ran susewatcher.
 So I have:

Nov 20 16:15:32 uni postfix/qmgr[2197]: 77A931C645:
from=<bounce-indiv-david=thekramers.net at craigslist.org>, size=1620, nrcpt=1
(queue active)
Nov 20 16:15:32 uni postfix/smtpd[3403]: disconnect from
mxout3.craigslist.org[130.94.251.47]
Nov 20 16:15:33 uni postfix/local[3405]: 77A931C645:
to=<david at thekramers.net>, relay=local, delay=2, status=sent
("|/usr/bin/procmail")
Nov 20 16:16:05 uni postfix/postfix-script: refreshing the Postfix mail system
Nov 20 16:16:06 uni postfix/master[2191]: reload configuration
Nov 20 16:16:06 uni postfix/master[2191]: terminating on signal 11
Nov 20 16:29:35 uni postfix/postfix-script: starting the Postfix mail system
Nov 20 16:29:35 uni postfix/master[5363]: daemon started -- version 2.0.14
Nov 20 16:29:36 uni postfix/qmgr[5367]: 3B7411C186:
from=<david at thekramers.net>, size=1470, nrcpt=1 (queue active)
Nov 20 16:29:37 uni postfix/pickup[5366]: 207181C645: uid=0 from=<root>


I'm willing to accept that Postfix getting killed by an upgrade is unrelated
to the break-in attempts, but I thought I would mention it,  I'll also
mention that I run rkhunter (root Kit Hunter), and it hasn't found any problems.


So I started combing through my /var/log/messages and found LOTS of entries
like:

Nov 17 03:14:30 uni sshd[29492]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(hosted.by.denit.net) didn't return
::ffff:62.148.172.222
Nov 17 03:14:30 uni sshd[29492]: Did not receive identification string from
::ffff:62.148.172.222
Nov 17 03:27:00 uni /USR/SBIN/CRON[32648]: (mailman) CMD (/usr/bin/python -S
/usr/lib/mailman/cron/nightly_gzip)
Nov 17 03:31:12 uni sshd[32701]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(unknown.Level3.net) didn't return
::ffff:63.211.110.162
Nov 17 03:31:12 uni sshd[32701]: Address 63.211.110.162 maps to
unknown.level3.net, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!
Nov 17 03:31:12 uni sshd[32701]: Failed password for root from
::ffff:63.211.110.162 port 42813 ssh2
Nov 17 03:31:12 uni sshd[32701]: Received disconnect from
::ffff:63.211.110.162: 11: Bye Bye
Nov 17 03:31:12 uni sshd[32702]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(unknown.level3.net) didn't return
::ffff:63.211.110.162
Nov 17 03:31:13 uni sshd[32702]: Address 63.211.110.162 maps to
unknown.level3.net, but this does not map back to the address - POSSIBLE
BREAKIN ATTEMPT!
Nov 17 03:31:13 uni sshd[32702]: Failed password for root from
::ffff:63.211.110.162 port 42980 ssh2
Nov 17 03:31:13 uni sshd[32702]: Received disconnect from
::ffff:63.211.110.162: 11: Bye Bye


and

Nov 17 08:06:16 uni sshd[8429]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(211-21-168-36.HINET-IP.hinet.net): Name or
service not known

Nov 17 08:06:16 uni sshd[8429]: Did not receive identification string from
::ffff:211.21.168.36
Nov 17 08:06:51 uni sshd[8441]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(reverse.completel.net): Name or service not known
Nov 17 08:06:51 uni sshd[8441]: Did not receive identification string from
::ffff:195.167.199.10
Nov 17 08:39:01 uni sshd[9856]: warning: /etc/hosts.allow, line 63: can't
verify hostname: getaddrinfo(211-21-168-36.hinet-ip.hinet.net): Name or
service not known

(I may ask for help on /etc/hosts.allow at some later point)

Nov 17 08:39:06 uni sshd[9856]: Connection closed by ::ffff:211.21.168.36
Nov 17 08:54:55 uni sshd[10487]: Failed password for root from
::ffff:218.28.5.170 port 39375 ssh2
Nov 17 08:54:57 uni sshd[10487]: Received disconnect from
::ffff:218.28.5.170: 11: Bye Bye
Nov 17 08:55:04 uni sshd[10488]: Failed password for root from
::ffff:218.28.5.170 port 39621 ssh2
Nov 17 08:55:05 uni sshd[10488]: Received disconnect from
::ffff:218.28.5.170: 11: Bye Bye
Nov 17 08:55:15 uni sshd[10505]: Connection closed by ::ffff:218.28.5.170

and

Nov 18 22:28:13 uni sshd[11613]: Illegal user 1 from ::ffff:219.117.206.144
Nov 18 22:28:13 uni sshd[11613]: input_userauth_request: illegal user 1
Nov 18 22:28:13 uni sshd[11613]: Failed password for illegal user 1 from
::ffff:219.117.206.144 port 51830 ssh2
Nov 18 22:28:13 uni sshd[11613]: Received disconnect from
::ffff:219.117.206.144: 11: Bye Bye
Nov 18 22:28:17 uni sshd[11615]: Illegal user 2005 from ::ffff:219.117.206.144
Nov 18 22:28:17 uni sshd[11615]: input_userauth_request: illegal user 2005
Nov 18 22:28:17 uni sshd[11615]: Failed password for illegal user 2005 from
::ffff:219.117.206.144 port 51933 ssh2
Nov 18 22:28:17 uni sshd[11615]: Received disconnect from
::ffff:219.117.206.144: 11: Bye Bye
Nov 18 22:28:20 uni sshd[11616]: Illegal user 20admin from
::ffff:219.117.206.144
Nov 18 22:28:20 uni sshd[11616]: input_userauth_request: illegal user 20admin
Nov 18 22:28:20 uni sshd[11616]: Failed password for illegal user 20admin
from ::ffff:219.117.206.144 port 52054 ssh2
Nov 18 22:28:21 uni sshd[11616]: Received disconnect from
::ffff:219.117.206.144: 11: Bye Bye
Nov 18 22:28:23 uni sshd[11619]: Illegal user 20info from ::ffff:219.117.206.144

Nov 18 22:45:30 uni sshd[12846]: Failed password for illegal user chuck from
::ffff:219.117.206.144 port 50078 ssh2
Nov 18 22:45:31 uni sshd[12846]: Received disconnect from
::ffff:219.117.206.144: 11: Bye Bye
Nov 18 22:45:39 uni sshd[12858]: Illegal user cialis from ::ffff:219.117.206.144
Nov 18 22:45:39 uni sshd[12858]: input_userauth_request: illegal user cialis
Nov 18 22:45:39 uni sshd[12858]: Failed password for illegal user cialis
from ::ffff:219.117.206.144 port 50387 ssh2
Nov 18 22:45:41 uni sshd[12858]: Connection closed by ::ffff:219.117.206.144

Nov 20 10:27:52 uni sshd[27238]: input_userauth_request: illegal user 123123
Nov 20 10:27:52 uni sshd[27238]: Failed password for illegal user 123123
from ::ffff:61.172.206.118 port 34880 ssh2
Nov 20 10:27:52 uni sshd[27238]: Received disconnect from
::ffff:61.172.206.118: 11: Bye Bye
Nov 20 10:27:55 uni sshd[27239]: Illegal user 2welcome from
::ffff:61.172.206.118
Nov 20 10:27:55 uni sshd[27239]: input_userauth_request: illegal user 2welcome
Nov 20 10:27:55 uni sshd[27239]: Failed password for illegal user 2welcome
from ::ffff:61.172.206.118 port 34935 ssh2
Nov 20 10:27:55 uni sshd[27239]: Received disconnect from
::ffff:61.172.206.118: 11: Bye Bye
Nov 20 10:27:57 uni sshd[27240]: Illegal user cvsssh from ::ffff:61.172.206.118
Nov 20 10:27:57 uni sshd[27240]: input_userauth_request: illegal user cvsssh
Nov 20 10:27:57 uni sshd[27240]: Failed password for illegal user cvsssh
from ::ffff:61.172.206.118 port 34990 ssh2
Nov 20 10:27:57 uni sshd[27240]: Received disconnect from
::ffff:61.172.206.118: 11: Bye Bye
Nov 20 10:28:00 uni sshd[27241]: Illegal user mailnull from
::ffff:61.172.206.118
Nov 20 10:28:00 uni sshd[27241]: input_userauth_request: illegal user mailnull
Nov 20 10:28:00 uni sshd[27241]: Failed password for illegal user mailnull
from ::ffff:61.172.206.118 port 35050 ssh2
Nov 20 10:28:00 uni sshd[27241]: Received disconnect from
::ffff:61.172.206.118: 11: Bye Bye


And so on.

Note that the 61.172.0.0/16 IP blocks is in China, and 219.96.0.0/16 is in
Japan.  I am very tempted to block those whole ranges from my firewall, at
least temporarily.  The others are Qweat, Verio, etc, and I can't do
anything about those.


Is there *anything* else I can do?  There's hundreds of these attempts.



-- 

---------------------------------------------------------------------------
DDDD
DK KD    "Ignorance simplifies ANY problem."
DKK D                     R. Lucke
DK KD
DDDD